How to Improve Your API Security Posture

 

APIs, more formally known as application programming interfaces, empower apps and microservices to communicate and share data. However, this level of connectivity doesn't come without major risks. Hackers can exploit vulnerabilities in APIs to gain unauthorized access to sensitive data or even take control of the entire system. Therefore, it's essential to have a robust API security posture to protect your organization from potential threats.

What is API posture management?#

API posture management refers to the process of monitoring and managing the security posture of your APIs. It involves identifying potential vulnerabilities and misconfigurations that could be exploited by attackers, and taking the necessary steps to remediate them. Posture management also helps organizations classify sensitive data and ensure that it's compliant with the leading data compliance regulations such as GDPR, HIPAA, and PCI DSS.

As mentioned above, APIs are a popular target for attackers because they often provide direct access to sensitive data and systems. By implementing an API posture management tool, organizations can proactively identify and remediate potential security issues before they're exploited.

You can download a free copy of the Definitive Guide to API Posture Management to learn more.

How does API posture management work?#

API posture management involves several key steps:

1. Discovery: The first step is to identify all APIs in use within an organization. This can be done using automated tools or through manual inventory.
2. Assessment: Once APIs have been identified, they need to be assessed for potential vulnerabilities and misconfigurations. This can be done using tools that scan APIs for known vulnerabilities or by conducting manual penetration testing.
3. Remediation: Any vulnerabilities or misconfigurations that are identified need to be remediated. This may involve applying patches, reconfiguring APIs, or implementing additional security controls.
4. Monitoring: Finally, APIs need to be continuously monitored to ensure that they remain secure. This may involve implementing intrusion detection systems, log analysis, or other monitoring tools.

How to improve your API security posture#

Here are some best practices that can help improve your API security posture:

1. Use Secure Authentication and Authorization Mechanisms#

Authentication and authorization mechanisms are essential components of API security. They help ensure that only authorized users can access the API and perform specific actions. It is essential to use secure authentication and authorization mechanisms, such as OAuth 2.0 or OpenID Connect, to protect your APIs from unauthorized access.

2. Implement Role-Based Access Control#

Role-based access control (RBAC) is a security model that restricts access to resources based on the user's role. RBAC can help prevent unauthorized access to sensitive data by limiting access to only those users who need it to perform their job functions.

3. Use SSL/TLS Encryption#

SSL/TLS encryption is a security protocol that encrypts data transmitted between the client and the server. It helps prevent eavesdropping and ensures that data is transmitted securely. It is essential to use SSL/TLS encryption to protect your APIs from man-in-the-middle attacks.

4. Implement Rate Limiting#

Rate limiting is a technique that restricts the number of API requests that can be made within a specific time frame. It can help prevent API abuse and ensure that the API is available to all users. Implementing rate limiting can also help protect your APIs from denial-of-service (DoS) attacks.

5. Monitor and Log API Activity#

Monitoring and logging API activity can help detect suspicious activity and potential security breaches. It is essential to monitor API activity in real-time and log all API requests and responses. This can help identify security incidents and enable you to take appropriate action.

6. Conduct Regular API Security Audits#

Regular API security audits can help identify vulnerabilities and misconfigurations that may have been missed during the initial implementation. It is essential to conduct regular security audits to ensure that your APIs are secure and compliant with industry standards.

Conclusion#

APIs are a critical component of modern software development. However, with the increasing use of APIs, the risk of security breaches has also increased. Implementing API posture management can help improve your API security posture and protect your organization from potential threats. By following the best practices outlined in this article, you can reduce the risk of security breaches and ensure that your APIs are secure and compliant with industry standards.

This Definitive Guide focuses on the key requirements for API Security Posture Management — click here to download now

What is DNS Rebinding Attack? It's Work And Protection

what's DNS Rebinding attack? it's paintings And safety

what's DNS Rebinding attack?

DNS rebinding is a shape of pc attack or can say domain call laptop based totally attack. on this assault, a malicious net web page reasons traffic to run a client-facet script that assaults machines somewhere else on the network.

DNS rebinding attack may be used to breach a private network by using causing the victim's internet browser to get admission to machines at private IP addresses and return the results to the attacker. it could also be employed to use the sufferer system for spamming, allotted denial-of-provider attacks or other malicious sports.

Cybercriminal also can do DNS rebinding assault via Malicious advertising and marketing after which they are able to get right of entry to non-public facts on the network.

How DNS rebinding works?

The attacker registers a domain (consisting of anydomain.com) and delegates it to a DNS server underneath the attacker's manage. The server is configured to reply with a totally quick time to stay (TTL) report, preventing the response from being cached. while the sufferer browses to the malicious area, the attacker's DNS server first responds with the IP deal with of a server website hosting the malicious purchaser-side code.

 

as an instance, they might point the sufferer's browser to a internet site that incorporates malicious JavaScript or Flash scripts which are meant to execute at the victim's laptop.

The malicious customer-facet code makes additional accesses to the authentic domain name (along with attacker.com). these are accepted by way of the identical-beginning coverage. however, whilst the sufferer's browser runs the script it makes a new DNS request for the domain, and the attacker replies with a new IP address. for instance, they might reply with an inner IP deal with or the IP address of a goal somewhere else at the internet.

How can we guard Themselves?

the following strategies try and prevent DNS rebinding assaults:

 always use a robust password on your router. 

To Disable admin get right of entry to console in your router from any outside community.

internet browsers can put into effect DNS pinning: the IP cope with is locked to the cost obtained in the first DNS reaction. This technique may also block a few valid makes use of of Dynamic DNS, and might not work in opposition to all attacks. however, it is essential to fail secure (stop rendering) if the IP address does alternate, because the use of an IP address past the TTL expiration can open the other vulnerability whilst the IP address has legitimately changed and the expired IP address may additionally now be controlled via an attacker.

personal IP addresses may be filtered out of DNS responses.

outside public DNS servers with this filtering e.g. OpenDNS.

neighborhood sysadmins can configure the enterprise's neighborhood nameservers to block the resolution of external names into internal IP addresses. This has the downside of allowing an attacker to map the internal deal with tiers in use.

DNS filtering in a firewall or daemon e.g. dnswall.

net servers can reject HTTP requests with an unrecognized Host header.

The Firefox NoScript extension provides partial safety (for non-public networks)

It become first determined in 1996 and affected Java digital gadget.

NMap New Version 7.70 Released With Hundred of New OS And Service Fingerprints, 9 New NSE Scripts

NMap New Version 7.70 Released With Hundred of New OS And Service Fingerprints

Nmap unfastened protection Scanner, Port Scanner, & network Exploration device. down load open source software for Linux, home windows, UNIX, FreeBSD, and so forth.



It consists of hundreds of latest OS and carrier fingerprints, nine new NSE scripts (for a total of 588), a miles-advanced model of our Npcap windows packet taking pictures library/motive force, and service detection improvements to make -sV quicker and greater accurate. 



and people are just a few of the dozens of improvements defined below.


Nmap 7.70 source code and binary programs for Linux, windows, and Mac are to be had for free



in case you locate any bugs in this launch, please let us understand on the Nmap Dev listing or trojan horse tracker as described at https://nmap.org/e-book/man-insects.html.



here is the entire listing of great changes in NMAP:


• [Windows] We made a ton of enhancements to our Npcap windows packet capturing library (https://nmap.org/npcap/) for greater performance and stability, as well as smoother installer and better 802.eleven uncooked framecapturing help. Nmap 7.70 updates the bundled Npcap from model zero.93 to zero.ninety nine-r2, along with a majority of these modifications from the remaining seven Npcap releases:

https://nmap.org/npcap/changelog



• included all of your service/model detection fingerprints submitted from March 2017 to August 2017 (728 of them). The signature count number went up 1.02% to eleven,672, such as 26 new softmatches.  We now stumble on 1224 protocols from filenet-pch, lscp, and netassistant to sharp-faraway, urbackup, and watchguard.  we will try and integrate the ultimate submissions in the subsequent launch.



• integrated all your IPv4 OS fingerprint submissions from September 2016 to August 2017 (667 of them). brought 298 fingerprints, bringing the brand new general to five,652. Additions include iOS 11, macOS Sierra, Linux four.14, Android 7, and greater.



• incorporated all 33 of your IPv6 OS fingerprint submissions from September 2016 to August 2017. New groups for OpenBSD 6.zero and FreeBSD eleven.0 were added, as well as bolstered businesses for Linux and OS X.



• added the --solve-all choice to solve and experiment all IP addresses of a bunch.  This basically replaces the resolveall NSE script. [Daniel Miller]



• [NSE][SECURITY] Nmap developer nnposter found a protection flaw (directory traversal vulnerability) inside the way the non-default http-fetch script sanitized URLs. If a consumer manualy ran this NSE script in opposition to a malicious internet server, the server should probably (relying on NSE arguments used) cause documents to be stored outdoor the supposed destination directory. present documents could not be overwritten.  We fixed http-fetch, audited our different scripts to make certain they didn't make this mistake, and updated the httpspider library API to protect towards this through default. [nnposter, Daniel Miller]



• [NSE] introduced 9 NSE scripts, from eight authors, bringing the whole as much as 588! they may be all indexed at https://nmap.org/nsedoc/, and the summaries are underneath:



   - deluge-rpc-brute performs brute-force credential checking out towards

   Deluge BitTorrent RPC offerings, using the brand new zlib library. [Claudiu Perta]

   - hostmap-crtsh lists subdomains by using querying Google's certificate

   Transparency logs. [Paulino Calderon]

   - [GH#892] http-bigip-cookie decodes unencrypted F5 big-IP cookies and

   reports returned the IP cope with and port of the actual server in the back of the

   load-balancer. [Seth Jackson]

   - http-jsonp-detection attempts to discover JSONP endpoints in net

   servers. JSONP endpoints may be used to pass equal-foundation coverage

   regulations in web browsers. [Vinamra Bhatia]

   - http-trane-data obtains records from Trane Tracer SC controllers

   and connected HVAC devices. [Pedro Joaquin]

   - [GH#609] nbd-info makes use of the new nbd.lua library to question community Block

   devices for protocol and record export information. [Mak Kolybabi]

   - rsa-vuln-roca exams for RSA keys generated via Infineon TPMs

   vulnerable to return Of Coppersmith attack (ROCA) (CVE-2017-15361). tests

   SSH and TLS offerings. [Daniel Miller]

   - [GH#987] smb-enum-offerings retrieves the listing of offerings jogging on a

   remote windows device. current windows systems requires a privileged area

   account for you to list the offerings. [Rewanth Cool]

   - tls-alpn checks TLS servers for utility Layer Protocol Negotiation

   (ALPN) aid and reviews supported protocols. ALPN in large part replaces NPN,

   which tls-nextprotoneg was written for. [Daniel Miller]



• [GH#978] fixed Nsock on home windows giving errors while deciding on on STDIN.

This turned into inflicting Ncat 7.60 in connect mode to stop with errors: libnsock select_loop(): nsock_loop mistakes 10038: An operation turned into attempted on something that is not a socket.  [nnposter]



• [Ncat][GH#197][GH#1049] fix --ssl connections from losing on renegotiation, the same trouble that was partly fixed for server mode in [GH#773]. mentioned on home windows with -e through pkreuzt and vinod272. [Daniel

Miller]



• [NSE][GH#1062][GH#1149] some adjustments to brute.lua to higher handle misbehaving or rate-restricting services. most importantly, brute.killstagnated now defaults to true. way to xp3s and Adamtimtim for reporing infinite loops and presenting adjustments.



• [NSE] VNC scripts now guide Apple far off laptop authentication (auth kind 30) [Daniel Miller]



• [NSE][GH#1111] restoration a script crash in ftp.lua when PASV connection timed out. [Aniket Pandey]

• [NSE][GH#1114] update bitcoin-getaddr to receive more than one response message, for the reason that first message commonly most effective has one deal with in it. [h43z]



• [Ncat][GH#1139] Ncat now selects the appropriate default port for a given proxy kind. [Pavel Zhukov]



• [NSE] memcached-info can now acquire records from the UDP memcached carrier similarly to the TCP carrier. The UDP carrier is frequently used as a DDoS reflector and amplifier. [Daniel Miller]



• [NSE][GH#1129] changed url.absolute() behavior with recognize to dot and dot-dot course segments to conform with RFC 3986, phase five.2. [nnposter]



• eliminated deprecated and undocumented aliases for numerous lengthy alternatives that used underscores instead of hyphens, which includes --max_retries. [Daniel Miller]



• advanced service experiment's remedy of gentle matches in  approaches. to start with, any probes that could bring about a complete healthy with the gentle matched carrier will now be despatched, regardless of rarity. This improves the chances of matching uncommon offerings on non-standard ports.  2d, probes at the moment are skipped if they do not incorporate any signatures for the gentle matched provider.



Perviously the probes could still be run as long as the goal port range matched the probe's specification.  collectively, those changes have to make service/model detection quicker and extra accurate.  For greater information on how it works, see https://nmap.org/book/vscan.html. [Daniel Miller]



• --model-all now turns off the soft fit optimization, ensuring that each one probes virtually are despatched, despite the fact that there aren't any current fit lines for the softmatched provider. this is slower, but gives the maximum comprehensive effects and produces higher fingerprints for submission.

[Daniel Miller]



• [NSE][GH#1083] New set of Telnet softmatches for version detection based totally on Telnet DO/do not alternatives supplied, protecting a huge variety of devices and working structures. [D Roberson]



• [GH#1112] Resolved crash possibilities resulting from surprising libpcap version string format. [Gisle Vanem, nnposter]



• [NSE][GH#1090] restore false positives in rexec-brute with the aid of checking responses for indicators of login failure. [Daniel Miller]



• [NSE][GH#1099] fix http-fetch to preserve downloaded documents in separate vacation spot directories. [Aniket Pandey]



• [NSE] introduced new fingerprints to http-default-money owed:

+ Hikvision DS-XXX community digicam and NUOO DVR [Paulino Calderon]

+ [GH#1074] ActiveMQ, Purestorage, and Axis network Cameras [Rob

Fitzpatrick, Paulino Calderon]



• brought a new provider detection fit for WatchGuard Authentication Gateway. [Paulino Calderon]



• [NSE][GH#1038][GH#1037] Script qscan become now not looking at interpacket delays

(parameter qscan.postpone). [nnposter]



• [NSE][GH#1046] Script http-headers now fails nicely if the goal does not return a valid HTTP reaction. [spacewander]



• [Ncat][Nsock][GH#972] eliminate RC4 from the listing of TLS ciphers used by default, according with RFC 7465. [Codarren Velvindron]



• [NSE][GH#1022] restore a false fine circumstance in ipmi-cipher-0 resulting from now not checking the error code in responses. Implementations which go back

an mistakes are not susceptible. [Juho Jokelainen]



• [NSE][GH#958]  new libraries for NSE.

   - idna - aid for internationalized domains in programs

   (IDNA)

   - punycode (a switch encoding syntax used in IDNA) [Rewanth Cool]



• [NSE] New fingerprints for http-enum:

   - [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]

   - [GH#767] Many WordPress version detections [Rewanth Cool]



• [GH#981][GH#984][GH#996][GH#975] fixed Ncat proxy authentication troubles [nnposter]:



   - Usernames and/or passwords could not be empty

   - Passwords couldn't contain colons

   - SOCKS5 authentication was now not well documented

   - SOCKS5 authentication had a memory leak



• [GH#1009][GH#1013] Fixes to autoconf header documents to permit autoreconf to be run. [Lukas Schwaighofer]



• [GH#977] stepped forward DNS service model detection coverage and consistency by way of the use of data from a undertaking Sonar internet huge survey. Numerouse false positives were eliminated and reliable softmatches added. fit strains for version.bind responses were additionally conslidated the usage of the approach underneath.

[Tom Sellers]



• [GH#977] modified version probe fallbacks in order to paintings pass protocol (TCP/UDP). This permits consolidating in shape lines for services wherein the responses on TCP and UDP are similar. [Tom Sellers]



• [NSE][GH#532] brought the zlib library for NSE so scripts can easily deal with compression. This paintings started at some stage in GSOC 2014, so we're mainly pleased to ultimately integrate it! [Claudiu Perta, Daniel Miller]



• [NSE][GH#1004] constant handling of brute.retries variable. It was being treated because the number of tries, no longer retries, and a fee of zero would result in endless retries. instead, it's miles now the variety of retries, defaulting to two (three general attempts), with out a alternative for infinite retries.



• [NSE] http-devframework-fingerprints.lua supports Jenkins server detection and returns more records when Jenkins is detected [Vinamra Bhatia]



• [GH#926] The rarity stage of MS sq.'s carrier detection probe turned into reduced. Now we will discover MS square in abnormal ports with out increasing version intensity. [Paulino Calderon]



• [GH#957] restore reporting of zlib and libssh2 variations in "nmap --version". We were continually reporting the model wide variety of the included supply, even if a distinct model turned into certainly linked. [Pavel Zhukov]



• upload a brand new helper function for nmap-carrier-probes in shape traces: $I(1,">") will unpack an unsigned big-endian integer value up to 8 bytes wide from capture 1. the second option may be "<" for little-endian. [Daniel Miller]



experience this new launch and please do allow us to know if you find any troubles!



download hyperlink: https://nmap.org/download.html

jSQL An Automatic SQL Injection Tool Written in Java

jSQL An Automatic SQL Injection Tool Written in Java

jSQL Injection is a lightweight application used to find database information from a distant server.

It is free, open source and cross-platform (Windows, Linux, Mac OS X).

jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in other distributions like Pentest Box, Parrot Security OS, ArchStrike or BlackArch Linux.

Features

• Automatic injection of 23 kinds of databases: Access, CockroachDB, CUBRID, DB2, Derby, Firebird, H2, Hana, HSQLDB, Informix, Ingres, MaxDB, Mckoi, MySQL{MariaDb}, Neo4j, NuoDB, Oracle, PostgreSQL, SQLite, SQL Server, Sybase, Teradata and Vertica
• Multiple injection strategies: Normal, Error, Blind and Time
• SQL Engine to study and optimize SQL expressions
• Injection of multiple targets
• Search for administration pages
• Creation and vizualisation of Web shell and SQL shell
• Read and write files on host using injection
• Bruteforce of password's hash
• Code and decode a string

Installation  Install Java 8, then download the latest release of jSQL Injection and double-click on the file jsql-injection-v0.79.jar to launch the software.

You can also type java -jar jsql-injection-v0.79.jar in your terminal to start the program.
If you are using Kali Linux then get the latest release using commands apt update then apt full-upgrade.

Download jSQL Tool

Disclaimer:
Attacking web-server is illegal without prior mutual consent. The end user is responsible and obeys all applicable laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

Linux Server Security - Hack and Defend ($29 Value) FREE For a Limited Time

Linux Server Security - Hack and Defend ($29 Value) FREE For a Limited Time

Learn how to attack and defend the world’s most popular web server platform.

Linux Server Security: Hack and Defend presents a detailed guide for experienced admins, aspiring hackers and other IT professionals seeking a more advanced understanding of Linux security. Written by a 20-year veteran of Linux server deployment this book provides the insight of experience along with highly practical instruction.

This eBook will help you:

• Master hacking tools and launch sophisticated attacks: perform SQL injections, deploy multiple server exploits and crack complex passwords
• Defend systems and networks: make your servers invisible, be confident of your security with penetration testing and repel unwelcome attackers
• Increase your background knowledge of attacks on systems and networks and improve all-important practical skills required to secure any Linux server
• Diverse, broadly-applicable and hands-on practical, Linux Server Security: Hack and Defend is the essential resource to further your career. 

Download eBook

Dork-cli Command Line Tool To Find Google Dork

Dork-cli Command-line Google Dork Tool

dork-cli performs searches against a Google custom search engine and returns a list of all the unique page results it finds, optionally filtered by a set of dynamic page extensions. 

Any number of additional query terms / dorks can be specified. dork-cli was designed to be piped into an external tool such as a vulnerability scanner for automated testing purposes.

Setup

In order to use this program you need to configure at a minimum two settings: a Google API key and a custom search engine id.

Custom Search Engine:

• Create a custom search engine via https://www.google.com/cse/
• Add your desired domain(s) under "Sites to search"
• Click "Search engine ID" button to reveal the id, or grab it from the "cx" url paramter

API key:

• Open the Google API console at https://code.google.com/apis/console
• Enable the Custom Search API via APIs & auth > APIs
• Create a new API key via APIs & auth > Credentials > Create new Key
• Select "Browser key", leave HTTP Referer blank and click Create

Usage

$ ./dork-cli.py -h
usage: dork-cli.py [-h] [-e ENGINE] [-f [FILETYPES]] [-k KEY] [-m MAX_QUERIES]
                   [-s SLEEP]
                   [T [T ...]]

Find dynamic pages via Google dorks.

positional arguments:
  T                     additional search term

optional arguments:
  -h, --help            show this help message and exit
  -e ENGINE, --engine ENGINE
                        Google custom search engine id (cx value)
  -f [FILETYPES], --filetypes [FILETYPES]
                        File extensions to return (if present but no
                        extensions specified, builtin dynamic list is used)
  -k KEY, --key KEY     Google API key

 -m MAX_QUERIES, --max-queries MAX_QUERIES
                        Maximum number of queries to issue
  -s SLEEP, --sleep SLEEP
                        Seconds to sleep before retry if daily API limit is
                        reached (0=disable)

Examples:

• NOTE: including -f/--filetypes without an argument, e.g. followed by --, defaults to filtering by a builtin list of dynamic file extensions.

$ ./dork-cli.py inurl:login
https://www.example.com/usher/Login.aspx
https://www.example.com/login/
http://www.example.com/rooms/index.php?option=com_user&view=login&Itemid=8
http://www.example.com/index.php?cmd=login
[...]
$ ./dork-cli.py --filetypes -- inurl:id
http://www.example.com/its/sla/sla.php?id=1617
http://www.example.com/bbucks/index.php?site=5&scode=0&id=720
http://www.example.com/directory/details.aspx?id=33
http://www.example.com/SitePages/VOIP%20ID.aspx
http://www.example.com/personnel_ext.php?id=44
http://www.example.com/its/alerts/event.php?id=7220
[...]
$ ./dork-cli.py --filetypes=php,aspx intitle:login inurl:admin
https://www.example.com/users/lab/admin/portal.php
https://www.example.com/admin/start/login.aspx?ReturnUrl=%2Fadmin%2Fscheduling%2Faudit%2Fdefault.aspx
http://www.example.com/admin/admin.php
[...]

API Limitations

The free Google API limits you to 100 searches per day, with a maximum of 10 results per search. This means if you configure dork-cli.py to return 100 results, it will issue 10 queries (1/10th of your daily limit) each time it is run.

You have the option to pay for additional searches via the Google API console. At the time of writing, signing up for billing on the Google API site gets you $300 free to spend on API calls for 60 days.

Download